The following issues were found
kernel/printk/printk_safe.c
3 issues
Line: 42
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
atomic_t len; /* length of written data */
atomic_t message_lost;
struct irq_work work; /* IRQ work that flushes the buffer */
unsigned char buffer[SAFE_LOG_BUF_LEN];
};
static DEFINE_PER_CPU(struct printk_safe_seq_buf, safe_print_seq);
static DEFINE_PER_CPU(int, printk_context);
Reported by FlawFinder.
Line: 165
Column: 35
CWE codes:
126
static const char newline[] = KERN_CONT "\n";
printk_safe_flush_line(start, end - start);
printk_safe_flush_line(newline, strlen(newline));
}
return len;
}
Reported by FlawFinder.
Line: 213
Column: 31
CWE codes:
126
if ((i && i >= len) || len > sizeof(s->buffer)) {
const char *msg = "printk_safe_flush: internal error\n";
printk_safe_flush_line(msg, strlen(msg));
len = 0;
}
if (!len)
goto out; /* Someone else has already flushed the buffer. */
Reported by FlawFinder.
kernel/taskstats.c
3 issues
Line: 216
tsk = first;
start_time = ktime_get_ns();
do {
if (tsk->exit_state)
continue;
/*
* Accounting subsystem can call its functions here to
* fill in relevant parts of struct taskstsats as follows
Reported by Cppcheck.
Line: 210
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
goto out;
if (first->signal->stats)
memcpy(stats, first->signal->stats, sizeof(*stats));
else
memset(stats, 0, sizeof(*stats));
tsk = first;
start_time = ktime_get_ns();
Reported by FlawFinder.
Line: 634
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!stats)
goto err;
memcpy(stats, tsk->signal->stats, sizeof(*stats));
send:
send_cpu_listeners(rep_skb, listeners);
return;
err:
Reported by FlawFinder.
kernel/trace/bpf_trace.c
3 issues
Line: 1820
} \
EXPORT_SYMBOL_GPL(bpf_trace_run##x)
BPF_TRACE_DEFN_x(1);
BPF_TRACE_DEFN_x(2);
BPF_TRACE_DEFN_x(3);
BPF_TRACE_DEFN_x(4);
BPF_TRACE_DEFN_x(5);
BPF_TRACE_DEFN_x(6);
BPF_TRACE_DEFN_x(7);
Reported by Cppcheck.
Line: 373
Column: 9
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
u64 args[MAX_TRACE_PRINTK_VARARGS] = { arg1, arg2, arg3 };
u32 *bin_args;
static char buf[BPF_TRACE_PRINTK_SIZE];
unsigned long flags;
int ret;
ret = bpf_bprintf_prepare(fmt, fmt_size, args, &bin_args,
MAX_TRACE_PRINTK_VARARGS);
Reported by FlawFinder.
Line: 1268
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
return -EINVAL;
to_copy = min_t(u32, br_stack->nr * br_entry_size, size);
memcpy(buf, br_stack->entries, to_copy);
return to_copy;
#endif
}
Reported by FlawFinder.
kernel/trace/trace_stack.c
3 issues
Line: 328
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
size_t count, loff_t *ppos)
{
unsigned long *ptr = filp->private_data;
char buf[64];
int r;
r = snprintf(buf, sizeof(buf), "%ld\n", *ptr);
if (r > sizeof(buf))
r = sizeof(buf);
Reported by FlawFinder.
Line: 540
Column: 8
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
return ret;
}
static char stack_trace_filter_buf[COMMAND_LINE_SIZE+1] __initdata;
static __init int enable_stacktrace(char *str)
{
int len;
Reported by FlawFinder.
Line: 547
Column: 3
CWE codes:
120
int len;
if ((len = str_has_prefix(str, "_filter=")))
strncpy(stack_trace_filter_buf, str + len, COMMAND_LINE_SIZE);
stack_tracer_enabled = 1;
return 1;
}
__setup("stacktrace", enable_stacktrace);
Reported by FlawFinder.
kernel/user_namespace.c
3 issues
Line: 775
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Copy over memory. Only set up memory for the forward pointer.
* Defer the memory setup for the reverse pointer.
*/
memcpy(forward, map->extent,
map->nr_extents * sizeof(map->extent[0]));
map->forward = forward;
map->reverse = NULL;
}
Reported by FlawFinder.
Line: 1066
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/* Install the map */
if (new_map.nr_extents <= UID_GID_MAP_MAX_BASE_EXTENTS) {
memcpy(map->extent, new_map.extent,
new_map.nr_extents * sizeof(new_map.extent[0]));
} else {
map->forward = new_map.forward;
map->reverse = new_map.reverse;
}
Reported by FlawFinder.
Line: 1201
Column: 2
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
{
struct seq_file *seq = file->private_data;
struct user_namespace *ns = seq->private;
char kbuf[8], *pos;
bool setgroups_allowed;
ssize_t ret;
/* Only allow a very narrow range of strings to be written */
ret = -EINVAL;
Reported by FlawFinder.
lib/asn1_decoder.c
3 issues
Line: 15
Column: 23
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#include <linux/asn1_decoder.h>
#include <linux/asn1_ber_bytecode.h>
static const unsigned char asn1_op_lengths[ASN1_OP__NR] = {
/* OPC TAG JMP ACT */
[ASN1_OP_MATCH] = 1 + 1,
[ASN1_OP_MATCH_OR_SKIP] = 1 + 1,
[ASN1_OP_MATCH_ACT] = 1 + 1 + 1,
[ASN1_OP_MATCH_ACT_OR_SKIP] = 1 + 1 + 1,
Reported by FlawFinder.
Line: 193
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
#define NR_CONS_STACK 10
unsigned short cons_dp_stack[NR_CONS_STACK];
unsigned short cons_datalen_stack[NR_CONS_STACK];
unsigned char cons_hdrlen_stack[NR_CONS_STACK];
#define NR_JUMP_STACK 10
unsigned char jump_stack[NR_JUMP_STACK];
if (datalen > 65535)
return -EMSGSIZE;
Reported by FlawFinder.
Line: 195
Column: 11
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
unsigned short cons_datalen_stack[NR_CONS_STACK];
unsigned char cons_hdrlen_stack[NR_CONS_STACK];
#define NR_JUMP_STACK 10
unsigned char jump_stack[NR_JUMP_STACK];
if (datalen > 65535)
return -EMSGSIZE;
next_op:
Reported by FlawFinder.
lib/asn1_encoder.c
3 issues
Line: 313
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (data_len < len)
return ERR_PTR(-EINVAL);
memcpy(data, string, len);
data += len;
return data;
}
EXPORT_SYMBOL_GPL(asn1_encode_tag);
Reported by FlawFinder.
Line: 354
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (data_len < len)
return ERR_PTR(-EINVAL);
memcpy(data, string, len);
data += len;
return data;
}
EXPORT_SYMBOL_GPL(asn1_encode_octet_string);
Reported by FlawFinder.
Line: 414
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (data_len < len)
return ERR_PTR(-EINVAL);
memcpy(data, seq, len);
data += len;
return data;
}
EXPORT_SYMBOL_GPL(asn1_encode_sequence);
Reported by FlawFinder.
lib/assoc_array.c
3 issues
Line: 866
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new_n0->back_pointer = assoc_array_shortcut_to_ptr(new_s0);
new_n0->parent_slot = 0;
memcpy(new_s0->index_key, shortcut->index_key,
keylen * sizeof(unsigned long));
blank = ULONG_MAX << (diff & ASSOC_ARRAY_KEY_CHUNK_MASK);
pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, diff, blank);
new_s0->index_key[keylen - 1] &= ~blank;
Reported by FlawFinder.
Line: 915
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
new_n0->slots[sc_slot] = assoc_array_shortcut_to_ptr(new_s1);
memcpy(new_s1->index_key, shortcut->index_key,
keylen * sizeof(unsigned long));
edit->set[1].ptr = &side->back_pointer;
edit->set[1].to = assoc_array_shortcut_to_ptr(new_s1);
} else {
Reported by FlawFinder.
Line: 1498
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (!new_s)
goto enomem;
pr_devel("dup shortcut %p -> %p\n", shortcut, new_s);
memcpy(new_s, shortcut, (sizeof(struct assoc_array_shortcut) +
keylen * sizeof(unsigned long)));
new_s->back_pointer = new_parent;
new_s->parent_slot = shortcut->parent_slot;
*new_ptr_pp = new_parent = assoc_array_shortcut_to_ptr(new_s);
new_ptr_pp = &new_s->next_node;
Reported by FlawFinder.
lib/crc32.c
3 issues
Line: 58
Column: 30
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
/* implements slicing-by-4 or slicing-by-8 algorithm */
static inline u32 __pure
crc32_body(u32 crc, unsigned char const *buf, size_t len, const u32 (*tab)[256])
{
# ifdef __LITTLE_ENDIAN
# define DO_CRC(x) crc = t0[(crc ^ (x)) & 255] ^ (crc >> 8)
# define DO_CRC4 (t3[(q) & 255] ^ t2[(q >> 8) & 255] ^ \
t1[(q >> 16) & 255] ^ t0[(q >> 24) & 255])
Reported by FlawFinder.
Line: 146
Column: 61
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* @tab: little-endian Ethernet table
* @polynomial: CRC32/CRC32c LE polynomial
*/
static inline u32 __pure crc32_le_generic(u32 crc, unsigned char const *p,
size_t len, const u32 (*tab)[256],
u32 polynomial)
{
#if CRC_LE_BITS == 1
int i;
Reported by FlawFinder.
Line: 294
Column: 61
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
* @tab: big-endian Ethernet table
* @polynomial: CRC32 BE polynomial
*/
static inline u32 __pure crc32_be_generic(u32 crc, unsigned char const *p,
size_t len, const u32 (*tab)[256],
u32 polynomial)
{
#if CRC_BE_BITS == 1
int i;
Reported by FlawFinder.
lib/crypto/chacha20poly1305-selftest.c
3 issues
Line: 8844
Column: 2
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
u32 le_key[8];
int i;
memcpy(&bottom_row[4], nonce, 12);
for (i = 0; i < 8; ++i)
le_key[i] = get_unaligned_le32(key + sizeof(le_key[i]) * i);
chacha_init(chacha20_state, le_key, bottom_row);
chacha20_crypt(chacha20_state, b.block0, b.block0, sizeof(b.block0));
poly1305_init(&poly1305_state, b.block0);
Reported by FlawFinder.
Line: 8924
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
for (i = 0; i < ARRAY_SIZE(chacha20poly1305_enc_vectors); ++i) {
if (chacha20poly1305_enc_vectors[i].nlen != 8)
continue;
memcpy(computed_output, chacha20poly1305_enc_vectors[i].input,
chacha20poly1305_enc_vectors[i].ilen);
sg_init_one(sg_src, computed_output,
chacha20poly1305_enc_vectors[i].ilen + POLY1305_DIGEST_SIZE);
ret = chacha20poly1305_encrypt_sg_inplace(sg_src,
chacha20poly1305_enc_vectors[i].ilen,
Reported by FlawFinder.
Line: 8966
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
}
for (i = 0; i < ARRAY_SIZE(chacha20poly1305_dec_vectors); ++i) {
memcpy(computed_output, chacha20poly1305_dec_vectors[i].input,
chacha20poly1305_dec_vectors[i].ilen);
sg_init_one(sg_src, computed_output,
chacha20poly1305_dec_vectors[i].ilen);
ret = chacha20poly1305_decrypt_sg_inplace(sg_src,
chacha20poly1305_dec_vectors[i].ilen,
Reported by FlawFinder.